1 / 21

Introduction to international data transfers

Introduction to international data transfers. Jonathan Holbrook – Head of Data Protection Practice Geraldine Dersley – Solicitor (Head of Legal Profession). What does the DPA say about international transfers? Is there a recommended approach to complying with the law?

Download Presentation

Introduction to international data transfers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Introduction to international data transfers Jonathan Holbrook – Head of Data Protection Practice Geraldine Dersley – Solicitor (Head of Legal Profession)

  2. What does the DPA say about international transfers? Is there a recommended approach to complying with the law? What about the machinery of international transfer compliance? What does the future hold? Introduction

  3. ICO’s role and authorising transfers • ICO provides general advice and guidance • ICO does not routinely authorise one-off arrangements • BCR authorisations

  4. Guidance • “The Guide to Data Protection” (Section B8) • “The 8th Data Protection Principle and international data transfers” • BCR – FAQ and detailed guidance documents • (http://www.ico.gov.uk/tools_and_resources/document_library/data_protection.aspx) • Model contracts

  5. International transfers and the law • What does the Directive say? • Article 25(1) of Directive 95/46/EC: • “Transfers may only take place to a third country providing an adequate level of protection.”

  6. International transfers and the law • What does the DPA say? • 8th Data Protection Principle: • “Personal data shall not be transferred to a country or territory outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

  7. Recommended approach – initial considerations • Do you need to transfer personal data? • Is there a transfer? • Does the 8th Principle apply? • Have you complied with the other principles?

  8. Transfer within EEA • There are no restrictions on transfers to EEA countries • These are currently: • Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, • Estonia, Finland, France, Germany, Greece, Hungary, Iceland, • Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, • Malta, Netherlands, Norway, Poland, Portugal, Romania, • Slovakia, Slovenia, Spain, Sweden, United Kingdom

  9. Transfer outside the EEA • Has there been a finding of adequacy under Article 25(6) of • the Directive: • “The Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.” • Countries with findings of adequacy: • Argentina, Canada, Guernsey, Isle of Man, Jersey, Switzerland, • Israel, Andorra

  10. Safe Harbor • Is the transfer to a member of the US Safe Harbor? • US Department of Commerce website? • Voluntary mechanism for US organisations agreeing to: • 7 principles of information handling • be held responsible for keeping to those principles by the Federal Trade Commission or other oversight scheme

  11. Adequate level of protection • In other cases, transfer can go ahead if data controller is • satisfied in the circumstances that there is adequate level of • protection. You can:- • Assess adequacy yourself • Use contracts including the European Commission approved model contractual clauses • Get your Binding Corporate Rules approved by the Information Commissioner • Rely on exceptions from the rule

  12. Assessing adequacy • Data controllers required to ensure adequacy of protection in • all the circumstances of the transfer including: • Nature of personal data being transferred • Use of personal data and for how long • Laws and practices of the destination country • Extent to which the country has adopted DP standards • Whether you can ensure that the standards are achieved in practice • Whether there is effective procedure to enforce individual rights and obtain compensation

  13. Implementing adequate safeguards • Article 26(2) of the Directive • “Member States may authorise a transfer to a third country which does not ensure an adequate level of protection where the controller adduces adequate safeguards with respect to the protection of privacy; such safeguards may in particular result from appropriate contractual clauses.”

  14. In layman’s terms… • You have decided a transfer is taking place • The data are going to a third country not on the approved list and not covered by Safe Harbor • You have assessed that, in some areas, adequate protection does not exist • Article 26(2) is a basis for introducing safeguards that “fill the gaps”

  15. Model contracts • EC and ICO approved contractual clauses • Controller to controller; controller to processor • Contracts place obligations on “exporter” and “recipient” • No changes to model clauses

  16. Binding Corporate Rules • Internal code of conduct for transfers within a multinational group but outside EEA • Approved by relevant European data protection authorities • Rights for individuals • Working Party documents: WP74, WP108, WP154

  17. BCR application • Applications must include: • Evidence that the rules are binding • Description of the processing and data flows • Safeguards • Mechanism for reporting and recording changes • Safeguards

  18. Other exceptions • Article 26(1) of the Directive and Schedule 4 DPA • Good practice • ensure adequate protection if it is possible to do so and only rely on an exception if it is not • Rights of individuals will weigh heavily against the interests of the data controller

  19. Exceptions • Consent • Contract performance • Substantial public interest • Legal proceedings, advice or rights • Vital interests • Public register

  20. and finally… • Have you recorded the basis on which your decisions have been taken?

  21. Subscribe to our e-newsletter • at www.ico.gov.uk • Follow us on Twitter • at www.twitter.com/iconews

More Related